THE CUTTING EDGE: FOCUS ON TECHNOLOGY | RELEASE 3.0 / ESTHER DYSON

Control of Private Data Belongs in Hands of Consumers, Not Vendors

March 20, 2000|ESTHER DYSON | Esther Dyson edits the technology newsletter Release 1.0 and is the author of the bestseller "Release 2.0." She is also chairwoman of the Internet Corporation for Assigned Names and Numbers

"I made a mistake." With those words Kevin O'Connor, founder and chief executive of DoubleClick, the Internet's biggest supplier of advertising banners, attempted to reclaim his company's good standing.

There is some argument about what O'Connor's mistake was--bad behavior, disclosing bad behavior, or simply failing to understand the world's reaction to bad behavior.

DoubleClick had planned to match anonymous data collected online from Web visitors with personal data collected offline by a company it recently purchased. The latter database contains detailed information on almost 90 million U.S. households.

Those plans delighted Wall Street and appalled "privacy advocates." DoubleClick became a lightning rod for legitimate questions and for fears and fantasies.

One issue became clear: Consumers throughout the world are just beginning to understand how information can follow them from Web site to Web site.

And it brings up another issue: How much privacy is the individual entitled to in the age of the Internet? And why can't each individual define that answer for himself? It's a complicated question, and it goes well beyond the specifics of information you disclose at a Web site.

*

The concept of privacy is changing radically as a result of our new computer-based lives. Privacy used to be achieved through the sheer "friction" of everyday life: distance, time and the lack of records. Information didn't travel well, and most people who wanted to escape their pasts could simply move to a new location.

Now the picture has changed. You can escape your surroundings through the Internet, but your actions can easily catch up with you.

And it's not just the Internet; it's electronic toll roads (Exactly when did you leave that party?), credit card transactions (We know what hotel you went to), vendor databases (And what book you bought), cell-phone records (Whom you called), and much, much more.

At work, your arrival and departure times may be recorded, along with your Web searches, e-mail messages and sick days.

What makes all this information more scary is the growing ability to combine it: the products you bought from a variety of different merchants; your sick days plus someone else's hotel bills. It's not the routine use of this information for marketing purposes that most people find so troubling; it's the way someone with an agenda might put the pieces together.

DoubleClick said that consumers always had the option to ask to be removed from its database, but that didn't mean much to most people. Most consumers barely understand how the data is collected, let alone how to ask to be left out.

So the ability to get removed--to "opt-out"--wasn't very meaningful. Many people (I'm among them) think that "opt-in" makes more sense. The user has to ask explicitly to be included.

When DoubleClick first announced its plans to combine offline and online data, many people assumed it was already doing so. After hoping for a while that the issue would go away, the company last month announced a new privacy initiative, with its own internal privacy officer and a contract with PricewaterhouseCoopers to perform privacy audits.

But that wasn't enough. And so recently, O'Connor admitted his mistake and announced, "Until there is agreement between government and industry on privacy standards, we will not link personally identifiable information to anonymous user activity across Web sites."

That sounded like a request for government regulation, as there is in Europe and many other places.

The irony, of course, is that the recent sequence of events illustrates that publicity and disclosure can work in changing corporate behavior. And ironically, it is a corporation that is requesting straightforward rules--uncertainty is what business hates the most.

Privacy advocates want to regulate what is done with consumers' data, forbidding certain practices outright. Marketers (including DoubleClick) argue that marketers should control the data they collect; consumers are free to "opt out."

If consumers want free content on the Web, the marketers argue, then they should have it--and we should have their data in exchange.

*

In many circumstances, consumers are happy to be "known." It's convenient to have a vendor know your shoe size, your seating preference, your "regular" grocery order. It's pleasant to be greeted by name and to be offered books, stocks or a rental car that match your preferences.

So the solution is not to stop progress, to eliminate the collection and use of data, or miss all the efficiencies and conveniences new technology affords. It's to put control of the data back where it belongs--in the hands of the individuals who generate it.

By and large, that doesn't mean passing new laws, but rather setting new expectations--getting individuals to demand the terms and conditions they have a right to.